Enhanced short message and method for synchronizing and ensuring security of enhanced short messages exchanged in a cellular radio communication system

ABSTRACT

The invention concerns a particular structure of enhanced short message, and a method for synchronizing and ensuring the security of exchanged enhanced short messages having this structure. Conventionally, an enhanced message is transmitted by a message service centre to a subscriber identification module (or SIM module) of a mobile station. The body ( 2 ) of this enhanced message contains in particular a first field ( 3 ) for remote commands pertaining to a remote application. This body ( 2 ) also contains a second field ( 4 ) for storing the current value of a synchronizing counter, to be compared to a previous value of the synchronizing counter, stored in the SIM module. The body ( 2 ) can contain another field ( 6 ) for storing a certificate, the body signature, for proving the authenticity of the enhanced message and the identity of its transmitter. The enhanced message is accepted or refused by the SIM module depending on the coherence of these values with the internal status of the SIM module.

The invention relates to messages exchanged in cellular radiocommunication systems. In general, these messages are exchanged betweena message service center and a plurality of mobile stations. Each mobilestation is composed of a terminal cooperating with a microprocessor usercard called subscriber identity module (SIM).

More specifically, the invention relates to a particular enhancedmessage structure and a method for synchronizing and ensuring securitywhen exchanging enhanced messages having this structure.

In the field of cellular radio communication, the GSM standard (globalsystem for mobile public communications operating in the 900 MHz band)is known, primarily in Europe.

The invention applies, in particular, but not exclusively, to a systemaccording to this GSM standard.

In general, a terminal is a piece of physical equipment used by anetwork user to access the telecommunications services offered. Thereare a number of different terminal types such as portables or evenmobiles mounted on vehicles.

When a terminal is used by a user, the latter must connect his user card(SIM module), which is generally in the form of a smart card, to theterminal.

The user card supports a principal telephone application (for examplethe GSM application) which allows it, as well as the terminal to whichit is connected in the cellular communications system, to operate. Inparticular, the user card provides the terminal with which it isconnected with a unique subscriber identifier (or IMSI identifier,standing for “International Mobile Subscriber Identity”). For thispurpose, the user card includes command execution means (for example amicroprocessor and a program memory) and data storage means (for examplea data storage).

The IMSI identifier, and all the individual information about thesubscriber, to be used by the terminal, are stored in the data storagemeans of the SIM module. This enables each terminal to be used with anySIM module.

In certain known systems, particularly in a GSM system, there is a shortmessage service (SMS) for sending short messages to mobile stations.These messages are transmitted by a short message service center(SMS-C).

When a mobile station receives a short message, it stores it in the datastorage means of its SIM module. The principal telephone application ofeach SIM module handles each short message received.

Originally, the only function of a message was to provide information tothe subscriber, generally via a terminal display screen. Messages thathave this single function, known as short messages, thus contain onlyraw data.

Subsequently, an enhanced short message system (ESMS) was designed inwhich two types of short messages could be sent, namely the normalmessages referred to above and enhanced messages which could containcommands.

Thus, the proposal has already been made that commands for updating orreconfiguring this SIM module remotely be transmitted to an SIM modulevia enhanced messages. In other words, commands encapsulated in enhancedmessages enable the main telephone application of the SIM module to bemodified. In this way, the SIM module can be reconfigured without havingto bring it to a point of sale (and hence the SIM module can executeadministrative commands when it is in the application phase).

It has also been proposed that the SIM module serve as a support forapplications other than the principal telephone application such as inparticular vehicle renting, payment, or loyalty applications.

Since the commands belonging to these other applications are containedin enhanced messages, which are thus external to the SIM module, theseother applications are known as remote or OTA (“Over The Air”). On theother hand, the principal telephone application, whose commands arecontained in the SIM module data storage means, is known as “local.” Thecommands are also known as “local” or “remote” depending on whether theapplication to which they belong is itself local or remote.

Hence, remote applications (renting, payment, reconfiguration ofprincipal telephone application, etc.) can be executed with these remotecommands.

It is clear that this recent remote application (or OTA application)concept is highly advantageous for the subscriber. The latter is able tocarry out numerous applications such as renting a vehicle or paying fora service very easily simply by inserting his SIM module into aterminal.

In other words, the SIM module is made to do something different(essentially, more commands) that what it is normally able to do once itis in its application phase, namely once it is inserted into a cellulartelephone in the user's hand.

This enhanced working capacity of the SIM module entails particularsecurity requirements. This mechanism, which is in fact an additionalgateway into the SIM module, should prevent any person from carrying outactions in the SIM module from which he is normally prohibited.

Resynchronization, uniqueness of each message, integrity of eachmessage, and authenticity of the transmitting entity are some of theparticular security requirements linked to the utilization of enhancedmessages.

This is because it is important to be able to resynchronize the messagesource and the SIM module if there are transmission problems on thenetwork. Due to transmission problems in the enhanced message channel,neither the path of an enhanced message nor the transmission sequence ofseveral enhanced messages can be guaranteed.

The requirement that each message be unique avoids replaying a messageeither accidentally (indeed, the path followed by an enhanced message issuch that a given message could be transmitted several times to an SIMmodule) or intentionally (i.e. fraudulently with the idea of having theSIM module execute the same command sequence, such as the commandsenabling a prepaid telephone unit meter in the SIM module to berecredited, several times in succession).

The requirement of integrity of each message prevents a message frombeing corrupted either accidentally (also due to the transmission pathbetween the message service center and the mobile station) orintentionally (with the idea of modifying a message and forcing it tocarry out other actions more sensitive than those planned by the messagesource).

The requirement that the transmitting entity be authentic ensures thatit is indeed authorized to send enhanced messages. This remoteapplication mechanism must be reserved for particular transmitters (suchas operators and suppliers of services).

The recent remote application concept as currently implemented provesnot to meet all these particular security requirements.

The only proposal made to date has been to introduce a checksum intoeach enhanced message and run a check procedure in which a secret codeis presented before remote commands contained in the enhanced messageare executed.

Clearly, this solution is incomplete and thus unsatisfactory.

First of all, the use of a checksum, which is a relatively basicsolution, only ensures that the transmission has been carried outcorrectly.

Also, procedures of the secret code checking type do not offersufficient security guarantees if an enhanced message is intercepted.Since the identifier information does not vary from one message toanother, it is easy for an unauthorized person to replay a message, andpass off a fraudulently intercepted message as authentic.

Finally, this known solution does not meet the other requirements listedabove, namely resynchronization and integrity of the messages.

The goal of the invention is to overcome these drawbacks of the priorart.

More specifically, one of the goals of the present invention is toprovide a method for synchronizing and ensuring security of an exchangeof enhanced messages and a corresponding enhanced message structureenabling the message source and the SIM module to be resynchronized ifthere are transmission problems on the network.

Another goal of the invention is to provide such a method and such anenhanced message structure ensuring uniqueness of each enhanced messagetransmitted.

Another goal of the invention is to provide such a method and such anenhanced message structure that ensure the integrity of each enhancedmessage transmitted.

A supplementary goal of the invention is to provide such a method andsuch an enhanced message structure that ensure the authenticity of theentity transmitting the enhanced messages.

These goals, and others which will emerge hereinbelow, are achievedaccording to the invention with the aid of an enhanced message of thetype transmitted by a message service center to a mobile station of acellular radio communication system, the enhanced message including aheader and a body, the body containing in particular a first fieldstoring remote commands belonging to an application remote from themobile station,

the mobile station constituting a terminal cooperating with a subscriberidentification module, the terminal including means for receiving theenhanced message, the subscriber identification module including meansfor storing and processing the enhanced message received by theterminal, the subscriber identification module serving to support theremote application and including means for executing the remotecommands,

the enhanced message being characterized in that the body also includesa second field (4) for storing the current value of a synchronizationcounter,

the current value of the synchronization counter being intended to becompared to a previous value of the synchronization counter stored inthe subscriber identification module so that the enhanced message isaccepted or rejected by the subscriber identification module dependingon the result of comparing the current value with the previous value ofthe synchronization counter, the previous value being updated with thecurrent value only once the enhanced message has been accepted by thesubscriber identification module.

Thus, synchronization between the message service center and thesubscriber identification module (or SIM module) is based on the use ofa computer shared by these two entities. Each message transmitted to theSIM module contains the current value of this synchronization counter.This current value is unique for each message. The SIM module retainsthe previous synchronization counter value, which it compares to thecurrent value contained in each message in order to accept or rejectthis message.

If there is a problem when the message is transmitted, the SIM modulecan resynchronize with the message source when the next message is sentbecause the current synchronization counter value is contained in eachmessage.

If the SIM module supports several remote applications, each of them canbe associated with a separate synchronization counter, in which case theSIM module stores the previous values of the various counters.

Advantageously, the body of the enhanced message also includes a thirdfield storing a first piece of information pinpointing the location ofthe previous synchronization counter value in the subscriberidentification module data storage means.

This is particularly useful where the SIM module supports several remoteapplications. In these cases, when it receives a message, it is thecontent of the third field that tells the SIM module whichsynchronization counter to use.

In a preferred embodiment of the invention, wherein the subscriberidentification module data storage means have a hierarchical structurewith at least three levels including at least the following three typesof files:

master file;

dedicated file or secondary file placed under the master file,

elementary file placed under one of the dedicated files, known as parentdedicated file, or directly under the master file, known as parentmaster file,

an elementary system file (EF SMS System) specific to each remoteapplication containing a second piece of information pinpointing thelocation of the previous synchronization counter value in the subscriberidentification module data storage means,

the enhanced message is characterized in that the first piece oflocating information contained in the third storage field is anidentifier of a dedicated file or master file to which the elementarysystem file relates according to a predetermined search strategy in thedata storage means.

Thus, each message includes an identifier enabling the SIM module tofind the elementary system file with which the remote applicationtransmitting this message is linked. This elementary system file alsoincludes the previous synchronization counter value associated with thismessage-transmitting remote application.

Preferably, the body also includes a fourth field (6) storing acryptogram, known as transmitted cryptogram, calculation of which atleast partially involves the content of the second field stored thecurrent synchronization counter value,

the transmitted cryptogram being intended to be compared with anothercryptogram, known as local cryptogram, calculated by the subscriberidentification module so that the enhanced message is accepted by thesubscriber identification module if the transmitted and localcryptograms are identical, and rejected if they are not.

In other words, the use of a synchronization counter and a cryptogram iscombined. This greatly enhances the security of message exchangesbetween the message service center and the SIM module.

The use of a cryptogram enables the SIM module to ensure that thetransmitter of a message is indeed an authorized source (one speaks alsoof transmitter entity authenticity) and ensures the integrity of themessage.

Moreover, synergy exists between the use of the synchronization counterand that of the cryptogram since calculation of the latter involves thecurrent counter value.

First, since the current counter value is different for each message,the same message cannot be fraudulently replayed. In other words, theuniqueness of each message is ensured.

Also, since the current counter value is contained in the message, theSIM module knows which current value has been used to calculate thecryptogram and can thus calculate the comparison cryptogram (localcryptogram) on the same basis.

Finally, transmitting the current counter value in the message alsoensures that a received message can be accepted even if the message ormessages transmitted prior to it have not been received (or neverarrived).

Advantageously, calculation of the transmitted and verificationcryptograms also involves, at least partially, the content of the firstfield storing the remote commands.

In one advantageous embodiment of the invention, calculation of thetransmitted and verification cryptograms involves at least the entirecontent of the second field storing the current synchronization countervalue and the entire content of the first field storing the remotecommands. This ensures the quality of the security process.

Preferably, the transmitted and verification cryptograms are calculatedwith a cryptographic function belonging to the group including:

the secret key cryptographic functions; and

the public key cryptographic functions.

Thus, the invention is not confined to the use of a particular type ofcryptographic function.

Preferably, the subscriber identification module stores, in thesubscriber identification module data storage means, a cryptographicfunction and an associated key which are specific to the remoteapplication and enable the local cryptogram to be calculated,

the enhanced message is characterized in that the body of the enhancedmessage also includes a fifth field storing a third piece of informationpinpointing the location in the data storage means where thecryptographic function and the associated key specific to the remoteapplication are stored.

This is particularly useful in the case where the SIM module supportsseveral remote applications, each associated with a different pair(cryptographic function/key) and where the SIM module stores the variouspairs associated with these applications. In this case, when it receivesa message, it is the content of the fifth field that tells the SIMmodule which pair (cryptographic function/key) to be used.

In a preferred embodiment of the invention, the third field alsoconstitutes the fifth field, and the first piece of locating informationalso constitutes the third piece of locating information.

Thus, the content of the third field tells the SIM module not only whichsynchronization counter to use but also which pair (cryptographicfunction/key).

Advantageously, the body also includes a sixth field storing a checksum,known as transmitted checksum, calculation of which involves, at leastin part, the contents of the first field storing remote commands,

the transmitted checksum being intended for comparison with anotherchecksum known as local checksum, calculated by the subscriberidentification module, so that the enhanced message is accepted by thesubscriber identification module if the transmitted checksum and thelocal checksum are identical, and rejected if they are not.

This use of a checksum constitutes an additional security level. Itenables a message that was modified accidentally for example to berapidly rejected without cryptographic calculations having to be done.

Moreover, if the possibility of decoupling the cryptogram check from thecounter check under certain conditions is provided, the “checksum” fieldwill, but with a very relative level of guarantee, itself ensure thatthe message has not been accidentally or intentionally corrupted.However it is clear that this possibility must be reserved forconfigurations where the logical security linked to remote applicationslimits the actions possible in the SIM module.

Advantageously, the subscriber identification module includes aninput/output line over which it receives local commands belonging to anapplication local to the mobile station,

the enhanced message is characterized in that the remote commandscontained in the first field of the enhanced message are substantiallyidentical to the local commands received over the input/output line.

In this way, the SIM module can handle both types of commands, local andremote, without it being necessary to duplicate the executable code ofthe SIM module (this code is generally in the ROM or EEPROM).

The invention also relates to a method for synchronizing and ensuringsecurity of enhanced messages exchanged between a message service centerand a mobile station of a cellular radio communication system, eachenhanced message including a header and a body, the body containing inparticular a first field for storing remote commands belonging to aremote application of the mobile station,

the mobile station constituting a terminal cooperating with a subscriberidentification module, the terminal including means for receiving theenhanced message, the subscriber identification module including meansfor storing and processing the enhanced message received by theterminal, the subscriber identification module serving to support theremote application and including means for executing the remotecommands,

the method being characterized by having in particular the followingsteps:

the message service center transmits to the mobile station an enhancedmessage whose body also includes a second field in which the currentvalue of a synchronization counter is stored;

the subscriber identification module of the mobile station compares thecurrent synchronization counter value contained in the enhanced messagewith a previous synchronization counter value stored in the subscriberidentification module;

the subscriber identification module accepts or rejects the enhancedmessage depending on the result of comparing the current with theprevious synchronization counter values;

if the enhanced message has been accepted, the subscriber identificationmodule updates the previous value with the current value.

Preferably, for each new enhanced message of the remote applicationtransmitted by the message service center, the current synchronizationcounter value is incremented by a predetermined step,

and the enhanced message is accepted by the subscriber identificationmodule only if the current synchronization counter value is higher thanthe previous value.

In other words, to prevent a message from being replayed, any newcurrent value must be higher than that contained in the last acceptedmessage (i.e. the previous value stored in the SIM module).

Preferably, the step in which the previous synchronization counter valueis updated with the current value is carried out only if the differencebetween the current and previous values is less than a maximumpredetermined increment.

Thus, the counter is prevented from being locked at its maximum valuetoo rapidly. This increases the service life of the counter and preventsthe type of attack in which the SIM module is quickly locked by bringingthe counter to its maximum value. When it is locked in this way, thecounter cannot be reset to zero by a remote application. It can beunlocked only by an administrative procedure which generates additionalcost.

Advantageously, the method also includes the following step:

when the enhanced message is rejected by the subscriber identificationmodule, the latter sends back to the message service center an enhancedmessage containing a specific error code telling the message servicethat the enhanced message that it previously transmitted was rejecteddue to a counter synchronization problem.

This is particularly the case when two successive messages, for examplewith the current counter values N and N+1 respectively, are not receivedin the order they were sent. If the first message received is accepted,the second message is rejected (as explained below) and the transmittingentity can advantageously be informed of the reason for rejection,namely a synchronization problem.

It will be understood that when the SIM module receives the firstmessage (value N+1), the previous value that it stores is N−1. Hence thecurrent value of the first message, equal to N+1, is greater than thisvalue N−1. The previous value is then updated with the current value ofthe first message received, and when the SIM module receives the secondmessage, the previous value it stored is hence N+1. Thus, the currentvalue of the second message, equal to N, is less than this previousvalue, N+1, justifying rejection of this second message due to asynchronization problem.

Advantageously, the body of the enhanced message transmitted by themessage service center to the mobile station also includes a third fieldstoring a first piece of information pinpointing the storage location,in the subscriber identification module data storage means, of theprevious synchronization counter value,

the comparison step by the subscriber identification module of thecurrent and previous synchronization counter values is preceded by thefollowing steps:

the subscriber identification module reads the first piece of locatinginformation contained in the third field of the enhanced message;

the subscriber identification module deduces therefrom the storagelocation of the previous synchronization counter value;

the subscriber identification module reads, in the storage location, theprevious synchronization counter value.

In a preferred embodiment of the invention, the body of the enhancedmessage transmitted by the message service center to the mobile stationalso includes a fourth field storing a cryptogram, known as transmittedcryptogram, calculated using at least part of the contents of the secondfield storing the current synchronization counter value,

and the method also includes the following steps:

the subscriber identification module calculates a local cryptogram,using at least in part the contents of the second field of the enhancedmessage;

the subscriber identification module compares the transmitted cryptogramto the local cryptogram so that the enhanced message is accepted if thetransmitted and local cryptograms are identical and rejected if they arenot.

Advantageously, the subscriber identification module stores, in thesubscriber identification module data storage means, a cryptographicfunction and an associated key that are specific to the remoteapplication enabling the local cryptogram to be calculated,

the method is characterized in that the body of the enhanced messagetransmitted by the message service center to the mobile station alsoincludes a fifth field storing a third piece of information pinpointingthe storage location, in the data storage means, of the cryptographicfunction and the associated key,

and in that the step in which the subscriber identification modulecalculates the local cryptogram has the following steps:

the subscriber identification module reads the third piece of locatinginformation contained in the fifth field of the enhanced message;

the subscriber identification module deduces from this the storagelocation of the cryptographic function and the associated key;

the subscriber identification module calculates the local cryptogram,using the cryptographic function, the associated key, and at least partof the contents of the second field of the enhanced message.

In a preferred embodiment of the invention wherein the subscriberidentification module data storage means possess a hierarchicalstructure with at least three levels having at least the following threetypes of files:

master file;

dedicated file, or secondary file placed under the master file,

elementary file placed under one of the dedicated files, known as parentdedicated file, or directly under the master file, known as parentmaster file,

the method being characterized in that an elementary system file (EF SMSSystem) specific to each remote application, contains a second piece ofinformation pinpointing the location, in the subscriber identificationmodule data storage means, of the previous synchronization countervalue, of the cryptographic function, and of the associated key,

and in that the third field also constitutes the fifth field with thefirst piece of locating information also constituting the third piece oflocating information,

and in that the first piece of locating information contained in thethird storage field is an identifier of a dedicated file (DF) or masterfile (MF) to which the elementary system file (EF SMS System) relatesaccording to a predetermined search strategy in the data storage means.

Advantageously, the body of the enhanced message transmitted by themessage service center to the mobile station also includes a sixth fieldstoring a checksum, known as transmitted checksum, calculation of whichinvolves at least in part the contents of the first field storing remotecommands,

with the process also including the following steps:

the subscriber identification module calculates a local checksum, usingat least in part the contents of the first field of the enhancedmessage,

the subscriber identification module compares the transmitted checksumto the local checksum so that the enhanced message is accepted if thetransmitted and local checksums are identical and rejected if they arenot.

Other characteristics and advantages of the invention will emerge fromreading the following description of one preferred embodiment of theinvention provided as a nonlimiting indicative example, and the attacheddrawings, wherein:

FIG. 1 is a particular embodiment of the structure of an enhancedmessage according to the invention;

FIGS. 2 to 4 are examples of exchanges of enhanced messages secured bythe method of the invention;

FIG. 5 is an example of calculating a cryptogram used in the method ofthe invention;

FIG. 6 is a simplified flowchart of a particular embodiment of themethod of the invention, and

FIGS. 7 to 9 each show one of the stages in the chart of FIG. 6, ingreater detail.

The invention thus relates to a particular enhanced message structureand a method for synchronizing and ensuring the security of the exchangeof enhanced messages with this structure,

In the particular embodiment described below, solely as a nonlimitingindicative example, the cellular radio communication system is of theGSM type and uses an enhanced short message center (ESMS).

It is clear however that the invention is not limited to a GSM typesystem but relates in general to all cellular radio communicationsystems offering enhanced message service.

Classically, in the case of the GSM, the enhanced short messages areexchanged between a short message service center (SMS-C) and one or moreof a plurality of mobile stations (MS). Each mobile station constitutesa terminal cooperating with a subscriber identification module (SIMmodule). The terminal has means for receiving an enhanced message. TheSIM module has means for storing and processing the enhanced messagereceived by the terminal. Each enhanced message contains remote commandsbelonging to a remote application of the SIM module. The SIM modulesupports this remote application (and possibly others) and includesmeans of executing these remote commands.

FIG. 1 shows a particular embodiment of the structure of an enhancedmessage according to the invention.

Classically, the enhanced message has a header 1 and body 2 (or TP-UDstanding for “Transfer Layer Protocol_User Data”). Body 2 has inparticular a “Command” field 3 in which the remote commands are stored.

According to the invention, these are for example classical commands(operational or administrative) defined in standards GSM 11.11, ISO78.16-4, or EN 726-3, such as SELECT, UPDATE BINARY, UPDATE RECORD,SEEK, CREATE FILE, CREATE RECORD, EXTEND, etc. In other words, theformat of these remote commands is identical to that of the localcommands the SIM module normally receives over its input/output line.Hence the SIM module can handle remote commands in the same way as localcommands.

In the particular embodiment shown in FIG. 1, body 2 of the enhancedmessage of the invention has several other fields, namely in particulara “Synchronization Counter” field 4, a “System” field 5, an “SMSCertificate” 6, and an “SMS-ID” field 7.

The content of each of the other fields 4 to 7 of body 2 of the enhancedmessage will now be presented in detail.

The “Synchronization Counter” field 4 contains the current value of asynchronization counter. As explained more precisely below in relationto FIGS. 2 to 4, 6, and 8, this current synchronization counter value isintended to be compared with a previous value of this samesynchronization counter, stored in the data storage means of the SIMmodule. Depending on the result of this comparison, the enhanced messageis either accepted or rejected by the SIM module.

The “System” field 5 contains information on the location, in the SIMmodule data storage means, of a system file itself containing eitherelements pertinent to the message-sending remote application, or otherinformation for locating these elements in the SIM module data storagemeans.

“Elements pertinent to the sending remote application” are understood inparticular to be the previous synchronization counter value as well as acryptographic function and its associated key (the latter two elementsenable a “local” cryptogram to be calculated, which is to be compared toa “transmitted” cryptogram contained in the “SMS Certificate” field 6).

It is known that a hierarchical structure with at least three levels canbe provided for the SIM module data storage means, with the followingthree types of files:

master file (MF);

dedicated file (DF), or secondary file placed under the master file,

elementary file (EF) placed under one of the dedicated files, known asparent dedicated file, or directly under the master file, known asparent master file.

In the case of such a hierarchical structure, the aforesaid system fileof the invention is for example an elementary system file (EF SMSSystem). The locating information contained in “System” field 5 is thenan identifier (“DF input”) of a dedicated file (DF) or a master file(MF) to which the elementary system file (EF SMS System) relatesaccording to a search strategy predetermined in the data storage means.

The SIM module uses for example a backtracking search mechanism, namely:

looking first in an elementary system file under the current dedicatedfile or master file (namely the file indicated by the “DF input”identifier),

then, if no elementary system file exists under the current dedicatedfile or master file and if the “DF input” identifier does not indicatethe master file, looking for an elementary system file directly underthe master file.

Thus, the SIM module reads in the enhanced message the “DF input”identifier contained in the “System” field 5. From this “DF input”identifier, it finds the elementary system file to which the remoteapplication sending the message is linked. In this elementary systemfile, the SIM module reads for example:

the current synchronization counter value, directly; and

the identifier of a dedicated file in which a key_op EF file containingthe pair (cryptographic function, associated key) linked to themessage-sending remote application is found.

The “SMS Certificate” field 5 contains a cryptogram (called “transmittedcryptogram” hereinbelow). As explained more precisely below, in relationto FIGS. 6 and 9, this transmitted cryptogram is intended to be comparedto a local cryptogram, which in its turn is calculated by the SIMmodule. Depending on the result of this comparison, the enhanced messageis either accepted or rejected by the SIM module.

A particular embodiment of calculating the transmitted cryptogramSMS-Cert will now be presented (this calculation is of course identicalto that of the local cryptogram). We have the following relationship:

SMS-Cert=4 least significant octets of [MAC_Alg_(algo) _(—) _(id)(K_(appli), SMS_data)] where

“Alg_(algo) _(—) _(id)” is the algorithm associated with the remoteapplication (the elementary system file (EF SYS System) makes itpossible to locate this algorithm, on which this remote applicationdepends);

K_(appli) is the secret (or public) key associated with the algorithmAlg_(algo) _(—) _(id);

“SMS_data”=Sync 1 Message (application), where:

“1” symbolizes the concatenation operator;

“Sync” is the value (current, for calculating the transmittedcryptogram) of the synchronization counter;

“Application Message” is the content of the “Commands” field 3 (in whichthe remote command are stored);

MAC_Alg_(algo) _(—) _(id) is a function based on the Alg_(algo) _(—)_(id) algorithm, which makes a calculation of the “MAC” (MessageAuthentication Code) type on the SMS_data concatenation using theK_(appli) key.

FIG. 5 is an example of calculating the SMS-Cert cryptogram transmittedin the case where the Alg_(algo) _(—) _(id) algorithm is MoU A3A8.Clearly, algorithm A3A8 is only one implementation example and otheralgorithms can be used. Of course, a more general implementation wouldbe to specify the algorithm to be used (by means of an algorithmidentifier) for a particular application.

The SMS_data concatenation is divided into n blocks B₁, B₂, . . . ,B_(n−1), B_(n) with n≦9. Blocks B₁ through B_(n) have for example 16octets. If the length of the SMS data concatenation does not enable alast block B_(n) having 16 octets to be obtained, the last block isleft-justified and completed to the right with octets with value 0 tobuild a block having 16 octets called B′_(n). These blocks are involvedin the following calculations:

I₁=A3A8 (K_(appli), B₁)

R₂=XOR (I₁, B₂)

I₂=A3A8 (K_(appli), R₂)

. . .

R_(n−1)=XOR (I_(n−2), B_(n−1))

I_(n−1)=A3A8 (K_(appli), R_(n−1))

R_(n)=XOR (I_(n−1), B′_(n))

I_(n)=A3A8 (K_(appli), R_(n))

I_(n) is the result of the function MAC_A3A8. XOR is the operatorcreating a bit-by-bit “exclusive-OR” between two chains of 16 octets.

The “SMS-ID” field 7 contains a checksum (called “transmitted checksum”hereinbelow). As explained more precisely below in relation to FIGS. 6and 7, this transmitted checksum is to be compared to a local checksumwhich is calculated by the SIM module. Depending on the result of thiscomparison, the enhanced message is either accepted or rejected by theSIM module.

A particular example of calculating the transmitted checksum SMS_ID willnow be presented (this calculation is of course identical to that of thelocal checksum. We have the relationship: SMS_ID=NO (Σ octets of“Commands” field 3).

FIG. 6 is a simplified flowchart of a particular embodiment of themethod of the invention for synchronizing and ensuring security ofexchanged enhanced messages having the structure in FIG. 1.

In this particular embodiment, the method according to the invention hasthe following steps in particular:

The message service center transmits (61) an enhanced message to the SIMmodule of the mobile station;

The SIM module checks (62) the transmitted checksum contained in the“SMS-ID” field 7 of the enhanced message;

If (63) the result of checking the transmitted checksum is incorrect,the enhanced message is rejected by the SIM module; if not (64), the SIMmodule checks (65) the current synchronization counter value, containedin the “Synchronization Counter” field 4;

If (62) the result of checking the current synchronization counter valueis incorrect, the enhanced message is rejected by the SIM module; if not(67), the SIM module immediately updates the preceding counter valuewith the current value before any further checks are done. It thenchecks (68) the transmitted cryptogram which is contained in the “SMSCertificate” field 6;

If (69) the result of checking the transmitted cryptogram is incorrect,the enhanced message is refused by the SIM module and if not (610), theSIM module executes (611) the remote commands contained in the“Commands” field 3.

As shown in greater detail in FIG. 7, step (62) of checking thetransmitted checksum itself includes the following steps:

The SIM module reads (71) the transmitted checksum in the “SMS-ID” field7 of the enhanced message;

The SIM module calculates (72) a local checksum according to the samecalculation rule used to calculate the transmitted checksum;

The SIM module compares (73) the transmitted checksum with the localchecksum.

Thus, at this first checking level, the enhanced message is accepted(64) if the transmitted and local checksums are identical and rejected(63) if they are not.

As shown in greater detail in FIG. 8, the step (65) in which the currentsynchronization counter value is checked itself contains the followingsteps:

The SIM module reads (81) in the “Synchronization Counter” field 4, thecurrent value of the synchronization counter;

The SIM module reads (82) in the “System” field 5 of the enhancedmessage, information locating a system file (EF SMS System). As alreadyexplained above, this locating information is for example the “DF input”identifier of a dedicated file (DF) or a master file (MF) to which thiselementary system file (EF SMS System) relates;

From this, the SIM module deduces (83) the location, in the SIM moduledata storage means, of the system file (EF SMS System) containing inparticular the previous synchronization counter value;

The SIM module reads (84), in the system file (EF SMS System), thepreceding value of the synchronization counter;

The SIM module compares (85) the current synchronization counter valuewith the previous value stored in the SIM module;

At this second checking level, the enhanced message is accepted by theSIM module if (67) the current value is definitely higher than thepreceding synchronization counter value. The SIM module can then update(86) the previous value with the current value;

If (66) the current value is less than or equal to the previoussynchronization counter value, the enhanced message is rejected by theSIM module. The SIM module can then send (87) an enhanced messagecontaining a specific error code back to the message service centertelling the message service center that the enhanced message it sentpreviously was rejected due to a counter synchronization problem.

One can for example decide that for each new enhanced messagetransmitted by the message service center, the current synchronizationcounter value will be incremented by a predetermined step (equal to 1for example). An enhanced message is then only accepted by the SIMmodule if the current synchronization counter value containing thisenhanced message is greater than the previous value stored by the SIMmodule.

One can also arrange for step 86, in which the previous synchronizationcounter value is updated with the current value, to be effected only ifthe difference between the synchronization counter current and previousvalues is less than a maximum predetermined incrementation.

FIGS. 2 to 4 show various examples of secured enhanced message exchangesaccording to the method of the invention. In each figure, the changefrom the current counter value, called E_Sync (in the “outside world,”on the left) and that of the stored value, called S_Sync (in the SIMmodule, on the right) is represented. Each arrow represents one message.

In the first case (FIG. 2), synchronization and transmission of theenhanced message are correct. We have: E_Sync (=1)>S_Sync (=0). Theprevious value is updated to 1 and the remote commands are executed.

In the second case (FIG. 3), there is a problem when transmitting theenhanced message. The SIM module does not respond. On the other hand,the second transmission attempt takes place smoothly. Finally, we have:E_Sync (=3)>S_Sync (=1). The previous value is updated to 3 and theremote commands are executed.

In the third case (FIG. 4), there is a synchronization problem at theoutset. We have: E_Sync (=1)<S_Sync (=5). Several enhanced messagesincluding current values incremented successively are sent until themessage service center is once again synchronized with the SIM module.This is the case when we have: E_Sync (=6)>S_Sync (=5). The previousvalue can then be updated to 6 and the remote commands are executed.

As shown in greater detail in FIG. 9, step (68) in which the transmittedcryptogram is checked itself has the following steps:

The SIM module reads (91), in the “SMS Certificate” field 6, the currentsynchronization counter value;

The SIM module calculates (92) a local cryptogram using the samecalculation rule used to calculate the transmitted cryptogram;

The SIM module compares (93) the transmitted cryptogram with the localcryptogram.

Thus, at this third checking level, the enhanced message is accepted(610) if the transmitted and local cryptograms are identical, andrejected (69) if they are not.

FIG. 9 also shows in greater detail step 92 in which the localcryptogram is calculated, divided into the following steps:

The SIM module reads (94), in the “System” field 5 of the enhancedmessage, information for locating a system file (EF SMS System);

From this, the SIM module deduces (95) the location, in the SIM moduledata storage means, of the system file (EF SMS System). This system fileitself contains another piece of locating information enabling the SIMmodule to find the cryptographic function and its associated key, whichare linked to the remote application sending the enhanced message;

The SIM module calculates (96) the local cryptogram, using thecryptographic function and its associated key, as explained above.

It should be noted that step 94 and the start of step 95 have actuallybeen completed already, as explained before, to find the previoussynchronization counter value (which is directly stored in the filesystem (EF SMS System)).

Clearly, numerous other embodiments of the invention could be envisaged.

In particular, two separate system fields could be provided, one to findthe previous synchronization counter value and the other to find thecryptographic function and its associated key. In this case, one wouldhave two “System” fields of the type with reference numeral 5.

The cryptographic function can also be of the public key type.

Finally, it should be noted that step 62 in which the checksum isverified and step 68 in which the transmitted cryptogram is verifiedcould be omitted.

What is claimed is:
 1. Enhanced message of the type transmitted by amessage service center (C-SMS) to a mobile station (MS) of a cellularradio communication system, said enhanced message including a header (1)and a body (2), said body (2) containing in particular a first field (3)storing remote commands belonging to an application remote from saidmobile station, said mobile station constituting a terminal cooperatingwith a subscriber identification module, said terminal including meansfor receiving said enhanced message, said subscriber identificationmodule including means for storing and processing said enhanced messagereceived by the terminal, said subscriber identification module servingto support said remote application and including means for executingsaid remote commands, said enhanced message being characterized in thatsaid body (2) also includes a second field (4) for storing the currentvalue of a synchronization counter, said current value of thesynchronization counter being intended to be compared to a previousvalue of the synchronization counter stored in the subscriberidentification module such that said enhanced message is accepted orrejected by the subscriber identification module depending on the resultof comparing the current with the previous value of the synchronizationcounter, said previous value being updated with said current value onlyonce the enhanced message has been accepted by the subscriberidentification module.
 2. Enhanced message according to claim 1,characterized in that body (2) of said enhanced message also includes athird field (5) storing a first piece of information pinpointing thelocation of said previous synchronization counter value in saidsubscriber identification module data storage means.
 3. Enhanced messageaccording to claim 2, wherein said subscriber identification module datastorage means have a hierarchical structure with at least three levelsincluding at least the following three types of files: master file (MF);dedicated file (DF) or dedicated file placed under said master file,elementary file (EF) placed under one of said dedicated files, known asparent dedicated file, or directly under said master file, known asparent master file, an elementary system file (EF SMS System) specificto each remote application containing a second piece of informationpinpointing the location of said previous synchronization counter valuein said subscriber identification module data storage means, saidenhanced message being characterized in that said first piece oflocating information contained in said third storage field (5) is anidentifier of a dedicated file (DF) or master file (MF) to which saidelementary system file (EF SMS System) relates according to apredetermined search strategy in the data storage means.
 4. Enhancedmessage according to claim 1, characterized in that said body alsoincludes a fourth field (6) storing a cryptogram, known as transmittedcryptogram, calculation of which at least partially involves the contentof the second field storing the current synchronization counter value,said transmitted cryptogram being intended to be compared with anothercryptogram, known as local cryptogram, calculated by the subscriberidentification module so that said enhanced message is accepted by thesubscriber identification module if the transmitted and localcryptograms are identical, and rejected if they are not.
 5. Enhancedmessage according to claim 4, characterized in that calculation of saidtransmitted and verification cryptograms also involves, at leastpartially, the content of the first field (3) storing the remotecommands.
 6. Enhanced message according to claim 5, characterized inthat calculation of said transmitted and local cryptograms involves atleast the entire content of the second field (4) storing the currentsynchronization counter value and the entire content of the first field(3) storing the remote commands.
 7. Enhanced message according to claim1, characterized in that said transmitted and local cryptograms arecalculated with a cryptographic function belonging to the groupincluding: the secret key cryptographic functions; and the public keycryptographic functions.
 8. Enhanced message according to claim 1,whereby said subscriber identification module stores, in said subscriberidentification module data storage means, a cryptographic function andan associated key which are specific to said remote application andenables said local cryptogram to be calculated, said enhanced messagebeing characterized in that the body of said enhanced message alsoincludes a fifth field (5) storing a third piece of informationpinpointing the location in said data storage means where saidcryptographic function and said associated key specific to said remoteapplication are stored.
 9. Enhanced message according to claim 1,characterized in that said third field (5) also constitutes said fifthfield, and said first piece of locating information also constitutessaid third piece of locating information.
 10. Enhanced message accordingto claim 1, characterized in that said body (2) also includes a sixthfield (7) storing a checksum, known as transmitted checksum, calculationof which involves, at least in part, the contents of the first field (3)storing remote commands, said transmitted checksum being intended forcomparison with another checksum known as local checksum, calculated bythe subscriber identification module, so that said enhanced message isaccepted by the subscriber identification module if the transmittedchecksum and local checksum are identical, and rejected if they are not.11. Enhanced message according to claim 1, said subscriberidentification module including an input/output line over which itreceives local commands belonging to an application local to said mobilestation, characterized in that said remote commands contained in saidfirst field (3) of said enhanced message are substantially identical tosaid local commands received over the input/output line.
 12. Method forsynchronizing and ensuring security of enhanced messages exchangedbetween a message service center (C-SMS) and a mobile station (MS) of acellular radio communication system, each enhanced message including aheader (1) and a body (2), said body (2) containing in particular afirst field (3) for storing remote commands belonging to a remoteapplication of said mobile station, said mobile station constituting aterminal cooperating with a subscriber identification module, saidterminal including means for receiving said enhanced message, saidsubscriber identification module including means for storing andprocessing said enhanced message received by the terminal, saidsubscriber identification module serving to support said remoteapplication and including means for executing said remote commands, saidmethod being characterized by having in particular the following steps:said message service center transmits (61) to said mobile station anenhanced message whose body also includes a second field in which thecurrent value of a synchronization counter is stored; the subscriberidentification module of the mobile station compares (65, 85) saidcurrent synchronization counter value contained in said enhanced messagewith a previous synchronization counter value stored in the subscriberidentification module; the subscriber identification module accepts (67)or rejects (66) said enhanced message depending on the result ofcomparing the current with the previous synchronization counter values;if the enhanced message has been accepted, the subscriber identificationmodule updates (86) said previous value with said current value. 13.Method according to claim 12, characterized in that, for each newenhanced message of said remote application transmitted by said messageservice center, the current synchronization counter value is incrementedby a predetermined step, and in that said enhanced message is acceptedby the subscriber identification module only if said currentsynchronization counter value is higher than said previous value. 14.Method according to claim 12, characterized in that said step in whichthe previous synchronization counter value is updated with said currentvalue is carried out only if the difference between said current andprevious values is less than a maximum predetermined increment. 15.Method according to claim 12, characterized by also including thefollowing step: when said enhanced message is rejected (66) by thesubscriber identification module, the latter sends back (87) to themessage service center an enhanced message containing a specific errorcode telling the message service center that said enhanced message thatit previously transmitted was rejected due to a counter synchronizationproblem.
 16. Method according to claim 12, characterized in that thebody (2) of said enhanced message transmitted by the message servicecenter to the mobile station also includes a third field (5) storing afirst piece of information pinpointing the storage location, in saidsubscriber identification module data storage means, of said previoussynchronization counter value, and in that said comparison step (85) bythe subscriber identification module of the current and previoussynchronization counter values is preceded by the following steps: thesubscriber identification module reads (82) said first piece of locatinginformation contained in the third field of said enhanced message; thesubscriber identification module deduces (83) therefrom the storagelocation of the previous synchronization counter value; the subscriberidentification module reads (84), in said storage location, the previoussynchronization counter value.
 17. Method according to claim 12,characterized in that the body (2) of the enhanced message transmittedby the message service center to the mobile station also includes afourth field (6) storing a cryptogram, known as transmitted cryptogram,calculated using at least part of the contents of the second field (4)storing the current synchronization counter value, and in that saidmethod also includes the following steps: the subscriber identificationmodule calculates (92) a local cryptogram, using at least in part thecontents of the second field (4) of said enhanced message; thesubscriber identification module compares (93) said transmittedcryptogram to said local cryptogram so that said enhanced message isaccepted if the transmitted and local cryptograms are identical andrejected if they are not.
 18. Method according to claim 12, whereby saidsubscriber identification module stores, in said subscriberidentification module data storage means, a cryptographic function andan associated key that are specific to said remote application enablingsaid local cryptogram to be calculated, characterized in that the bodyof said enhanced message transmitted by the message service center tothe mobile station also includes a fifth field (5) storing a third pieceof information pinpointing the storage location, in said data storagemeans, of said cryptographic function and said associated key, and inthat said step (92) in which the subscriber identification modulecalculates said local cryptogram is divided into the following steps:the subscriber identification module reads (94) said third piece oflocating information contained in the fifth field (5) of said enhancedmessage; the subscriber identification module (95) deduces from this thestorage location of said cryptographic function and said associated key;the subscriber identification module calculates (96) said localcryptogram, using said cryptographic function, said associated key, andat least part of the contents of the second field (4) of said enhancedmessage.
 19. Method according to claim 18, whereby said subscriberidentification module data storage means possess a hierarchicalstructure with at least three levels having at least the following threetypes of files: master file (MF); dedicated file (DF), or dedicated fileplaced under said master file, elementary file (EF) placed under one ofsaid dedicated files, known as parent dedicated file, or directly undersaid master file, known as parent master file, said method beingcharacterized in that an elementary system file (EF SMS System) specificto each remote application, contains a second piece of informationpinpointing the location, in said subscriber identification module datastorage means, of said previous synchronization counter value, of saidcryptographic function, and of said associated key, and in that saidthird field (5) also constitutes said fifth field with said first pieceof locating information also constituting said third piece of locatinginformation, and characterized in that said first piece of locatinginformation contained in said third storage field (5) is an identifierof a dedicated file (DF) or master file (MF) to which said elementarysystem file (EF SMS System) relates according to a predetermined searchstrategy in the data storage means.
 20. Method according to claim 12,characterized in that body (2) of said enhanced message transmitted bythe message service center to the mobile station also includes a sixthfield (7) storing a checksum, known as transmitted checksum, calculationof which involves at least in part the contents of the first field (3)storing remote commands, and in that said method also includes thefollowing steps: the subscriber identification module calculates (72) alocal checksum, using at least in part the contents of the first field(3) of said enhanced message, the subscriber identification modulecompares (73) said transmitted checksum to said local checksum so thatsaid enhanced message is accepted if the transmitted and local checksumsare identical and rejected if they are not.